Hi @serp,
Thanks for reaching out to the Auth0 Community!
I understand that you have questions about blocking users via brute-force protection for testing purposes.
Unfortunately, as you have found, Auth0 currently does not have a way to block users through brute-force protection with an endpoint. Instead, the user can only be brute-force blocked thru unsuccessful login attempts.
With that said, your proposed solutions seem like a valid way to test. I would add that the Maximum Attempts login threshold should be set to 1 to make testing quicker. This way, you can use the Password Flow with an incorrect password for all users and trigger a brute-force block.
I hope this helps!
Please let me know if you have any further questions.
Thank you.